InfoSecurity India's First Magazine on Comprehensive IT Security
Menu Bar
InfoSecurity March 2010
Security Knowledge

Username and Password: A Dying Security Model

“Are passwords truly free?” “Is the use of a username and a password secure?” “Will my end-users comply with a new strong password policy?” “How can I prevent my users from writing down their usernames and passwords?” This article addresses all these issues and costs associated with the use of username and passwords and their relative security compared to other available options.

These are just a few questions IT security professionals have been asking as regulatory pressures increase the scrutiny relating to the access of private data. Many use username and passwords to access everything from computers to online web portals to network resources, but does this mean that passwords are free, or secure? As the amount of confidential data becomes increasingly accessible, enterprises are evaluating stronger security and searching for a replacement for traditional passwords. Unfortunately, stronger security has traditionally been linked to a poor user experience and has resulted in poor user adoption. This does not need to be the case.

Username and Password vs. The Metal Key

Since its inception, the metal key has become the most ubiquitous form of authentication for buildings and automobiles. The metal key is inexpensive to make and duplicate, it is simple to carry and it provides a relatively secure way to protect items located on the other side of the lock. The metal key, however, has been rapidly replaced within the enterprise over the past 15 years by card-based access control, largely due to its inflexibility, its ability to be shared and copied, and the difficulty associated with re-keying locks. In short, a new more affordable, efficient and secure approach was designed for multiple users to access an entry point.

A parallel can be drawn between the metal key and the username and password. Usernames and passwords were the first form of authentication to be widely used to authenticate to a computer or network resource and they are rapidly becoming replaced by other forms of authentication that are more secure and convenient.

Let’s look at a few issues related to the use of the Username and Password.

To begin, let’s review the username. Usernames typically follow a simple format such as user’s first initial and last name. For example, Chris Johnson might have the following as his username: cjohnson. While IT administrators may change the parameters that create a username, they are usually designed to be easy to remember. Unfortunately, this makes the username easy to guess. Using a business card or information gathered on the internet, a username can be easily guessed by a hacker. Usernames are not intended to be secret, but rather, they are intended to be unique. The only security measure protecting sensitive data is a password.

Similar to the metal key, the password was the original form of authentication, but instead of opening a door, it is used to unlock a computer. At the outset most IT administrators allowed their users to choose their own username and password. Just as bump keys were created as a simple way to unlock the traditional door lock to steal valuables, the fact that passwords protect sensitive data has spawned a new market for malicious activities such as password cracking tools, keystroke loggers, network monitoring and brute force attacks, just to name a few.

Perhaps even more concerning is user behavior. Users have often shared passwords, chosen simple dictionary words as passwords and utilized the same password for multiple applications. To address the limited security posture of username and passwords, several industry regulations began calling for the use of strong passwords. These passwords were created from policies that required a long password length and the combination of lower and upper case letters, numbers and/or special characters. These policies also called for a password change every 60-90 days. While this model increased the security level of the password, it also created an entirely new user behavior. Now users were writing down these various passwords and placing them in a desk drawer, or even posting them on their computer monitors. In the greater attempt to enhance security, basic user utility was sacrificed.

A new model was required that could address both a high level of security and user adoption. Bill Gates’ Keynote speech at the RSA Conference in 2006 may have stated it best, “Passwords are the weak link,” Gates told his audience. “We need to move in the direction of smart cards, and multi-factor authentication must be built into the system itself. We need the ability to track what goes on and have a built-in recovery system.” Again, in 2007, Gates reiterated, “Passwords are not only weak. Passwords have a huge problem. If you get more and more of them, the worse it is. We see smart cards … [and] certificates in general as the way these things should go. You’ll be presenting certificates as opposed to weak passwords.”

What is better than Username and Password?

This article has addressed the security deficiencies of the use of username and password. Security is a necessary evil that is required to keep corporate assets protected and minimize risk, but it is not the only thing to consider when evaluating a log-on solution. Security, user adoption, scalability and the total cost of ownership all must be considered when evaluating alternate solutions to username and password.

Secure Access through Two-Factor Authentication

Two-factor authentication has replaced the use of username and passwords as a secure non-repudiated model to control access. Two-factor authentication, often referred to as “strong authentication,” replaces the use of a single “secret,” the password, with the combination of two or more of the following factors:

• something you have (such as a token or a card)
• something you know (such as a PIN)
• something you are (such as a biometric fingerprint image)

When the single “secret” is combined with a second factor, the security model becomes much more complex, making it difficult to bypass or spoof. At the same time some methods of strong authentication can increase user convenience. Instead of remembering a 10 character alphanumeric password, a user can use a smart card and a PIN, just as if they were at the ATM. Of course, the more factors that are combined, the stronger the security model is. Several types of access management solutions are available, each with it own risk level and pros and cons.

Table 1

In addition to the authentication solutions above, single sign on is often incorporated to facilitate the use of a single password (or device) to access more than just the Windows operating system, but also to access a multitude of applications. Two-factor authentication is recommended for any strong authentication solution due to the fact that two authentication methods are required for a successful logon.

Table 2

User Adoption – Convenience is the Key to Success

Security is necessary for any log-on solution, but the security only works if the end-users follow the policy. Take the example mentioned earlier, where users were rendering the strong password policy obsolete by writing down passwords. What’s required from any two-factor authentication system is something that is truly convenient. The solution needs to be easy to install, deploy and maintain for the administrator, and it needs to be simple and convenient for the end-user. One Time Passwords as an example, run into the issue that end-users do not want to be required to find their token and type a seemingly random number within a limited period of time, just to log-on to their computer. They want something that is portable, and simple to use. For the end-user, access to their system needs to be as simple as opening a door.

Scalability – Consider Growth

While most corporations purchase systems based on their current needs, scalability is an important thing to consider when evaluating two-factor authentication systems. The advantage of passwords, just like the metal key, is that they are ubiquitous - they are inexpensive and have no size limits. Some two-factor authentication systems, on the other hand, require significant management when dealing with a high number of users. Tokens become difficult to manage due to the fact that they need to be replaced every few years and biometrics remain difficult to implement and manage for high volumes of users.

Total Cost of Ownership - TCO

Whichever security model is chosen, the total cost of ownership is a key factor in determining the value of the proper solution. TCO includes much more than purely the acquisition cost. First we need to understand the cost to use and maintain a typical username and password log-on security system. Next, when evaluating a two-factor solution as an alternative, the hardware, software, system integration, installation, deployment to end-users, maintenance and device replacement must be considered.

At first glance it seems that the use of usernames and passwords is “free.” However, when we take a deeper look, costs ranging from password resets to wasted time and loss of productivity can be found. In addition to the initial cost of the call which includes the help desk personnel and systems and management costs, the end-user wastes time identifying the problem and placing a call to the help desk. If the end-user did not have to reset his password, both the end-user and the help desk would have had additional time to be productive. Loss of productivity also carries a cost that is equal to the fully burdened cost of the employees.

When calculating the TCO of the use of username and password, an enterprise must consider security. Weak security can result in immeasurable direct and indirect costs due to the exposure of sensitive information and resources to unauthorized users and intruders, not to mention issues resulting from non-compliance to industry regulations. Strong security may enable business opportunities that result in new or enhanced revenue streams, contributing to the bottom line. The expense related to password resets are only a part of the equation. While the intent of this article is not to provide a true ROI model, the following items should be considered when evaluating a two-factor authentication system.

  • Hardware (servers, tokens, cards, biometric readers, etc.)

  • Software (client software, administrator software)

  • System Integration required to function properly within the IT ecosystem

  • Installation – Time to install and changes, if any, that need to be made to the network infrastructure (changes to Active Directory Schema, etc.)

  • End-user Enrollment and Deployment – Staged approach vs. big bang, end-user training, etc.

  • Maintenance – Requirements for trained or dedicated full time employee

  • Device Replacement – Costs associated with replacing the token, card or reader when the device is lost or broken

Is there a Two-Factor Authentication Solution That Does It All?

The business challenge to safeguard access is to provide a suitable level of security that does not compromise usability. Imagine being able to use the same card you use to access your building to also log-in to your computer and network. For example, HID on the Desktop–a combination of an HID card, a reader and naviGO software, offers a complete solution for businesses of all sizes.

  • Security – use a strong, two-factor authentication solution that requires users to present a card (contact or contactless smart card) plus a PIN for log-in access

  • Convenience – use the same model that users use today to get cash from an ATM

  • Affordability – use the same card that you use today to access your building, and pay nothing for ongoing maintenance and support

Whether the new high frequency access cards are used or the proximity technology that preceded them, any HID card can be used with HID on the Desktop. It is now possible for corporations to use the same corporate badge for both physical access and two-factor authentication on the desktop.

Conclusion

In conclusion, two-factor authentication can significantly improve your overall security posture, lower costs, mitigate risk and enable your corporation to comply with any number of data privacy regulations. Administrators are realizing the dangers that result if they solely rely on usernames and passwords to provide authentication to network resources. The simple step of moving from password administration to two-factor authentication provides a major improvement in non-repudiated user access and more enforceable access policies. Just as the metal key has been replaced by an RFID card at the door, two-factor authentication can be used to replace the username and password for log-on access. Those solutions that are secure, affordable, easy-to-install and maintain and enhance user convenience will be adopted quickly. And perhaps most importantly, organizations may be able to better utilize systems that are already in place. Users would benefit from replacing complex passwords for online, offline and remote access with a single card and user PIN. Enterprise security could be no more complicated than using the local ATM.

—By: Ranjit Nambiar, Country Head, India, HID Global


Home   |   Current Issue   |   Archives   |   Subscription   |   Advertisement   |   Contacts

© 2006-07 'InfoSecurity' magazine. All rights reserved.
Website designed, developed and maintained by Fanatic Media